So you problem is, that you have signed your server cert with a CA from
a CA chain and your clients with another CA and you don't want clients
to connect, not signed by your client CA?
This sounds more like a case for ACLs and matching rules, since you
AFAIK you cannot tell ldap to only trust a CA for server cert
verification purposes. A CA is trusted or not.
--
Technische Universität Berlin - FGINET
Bernd May
System Administration
An-Institut Deutsche Telekom Laboratories
Sekr. TEL 16
Ernst-Reuter-Platz 7
10587 BERLIN
GERMANY
Mobile: 0160/90257737
E-Mail: bernd@net.t-labs.tu-berlin.de (T-Labs work)
WWW: net.t-labs.tu-berlin.de